b"            EVALUATION REPORT\n   Independent Evaluation of NRC\xe2\x80\x99s Implementation of the Federal\n      Information Security Management Act for Fiscal Year 2013\n\n                    OIG-14-A-03        November 22, 2013\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                UNITED STATES\n                        NUCLEAR REGULATORY COMMISSION\n                               WASHINGTON, D.C. 20555-0001\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                        November 22, 2013\n\n\nMEMORANDUM TO:            Mark A. Satorius\n                          Executive Director for Operations\n\n\n\nFROM:                     Stephen D. Dingbaum /RA/\n                          Assistant Inspector General for Audits\n\n\nSUBJECT:                  INDEPENDENT EVALUATION OF NRC'S\n                          IMPLEMENTATION OF THE FEDERAL INFORMATION\n                          SECURITY MANAGEMENT ACT FOR FISCAL YEAR 2013\n                          (OIG-14-A-03)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) report titled Independent\nEvaluation of NRC\xe2\x80\x99s Implementation of the Federal Information Security Management\nAct [FISMA] for Fiscal Year 2013. The objective was to perform an independent\nevaluation of the Nuclear Regulatory Commission\xe2\x80\x99s implementation of FISMA for FY\n2013.\n\nThe report presents the results of the subject evaluation. The agency had no comments\nat the exit conference on November 19, 2013.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG followup as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\nevaluation. If you have any questions or comments about our report, please contact me\nat 415-5915 or Beth Serepca, Team Leader, at 415-5911.\n\nAttachment: As stated\n\x0c                           Independent Evaluation of\n                          NRC\xe2\x80\x99s Implementation of the\n                 Federal Information Security Management Act\n                              for Fiscal Year 2013\n\n\n\n\n                      Contract Number: GS-00F-0001N\n                Delivery Order Number: HHSP233201300215G\n\n                                                 November 20, 2013\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c[Page intentionally left blank]\n\x0c                                                                           Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n      The U.S. Nuclear Regulatory Commission (NRC) Office of the Inspector General (OIG)\n      retained Richard S. Carson & Associates, Inc. (Carson Associates), to perform an\n      independent evaluation of NRC\xe2\x80\x99s implementation of the Federal Information Security\n      Management Act (FISMA) for fiscal year (FY) 2013. This report presents the results of\n      that independent evaluation. Carson Associates will also submit responses to the Office\n      of Management and Budget\xe2\x80\x99s (OMB) annual FISMA reporting questions for OIGs via\n      OMB\xe2\x80\x99s automated collection tool in accordance with OMB guidance.\n\nOBJECTIVE\n\n      The objective was to perform an independent evaluation of NRC\xe2\x80\x99s implementation of\n      FISMA for FY 2013.\n\nRESULTS IN BRIEF\n\n      Program Enhancements and Improvements\n\n      NRC has continued to make improvements to its information technology (IT) security\n      program and progress in implementing the recommendations resulting from previous\n      FISMA evaluations. The agency has accomplished the following since the FY 2012\n      FISMA independent evaluation:\n\n         \xe2\x80\xa2   The agency continued to maintain current authorizations to operate for all agency\n             and contractor systems. In FY 2013, the agency completed security assessments\n             and authorizations of seven systems. As of the completion of fieldwork for FY\n             2013, all operational NRC information systems and both systems used or operated\n             by a contractor or other organization on behalf of the agency had a current\n             authorization to operate.\n         \xe2\x80\xa2   The agency completed or updated security plans for 18 of the 21 agency systems\n             and for both contractor systems.\n         \xe2\x80\xa2   The agency completed annual security control testing for 15 agency systems and\n             both contractor systems, and security test and evaluation in support of system\n             authorization for 5 agency systems. The one system for which annual security\n             control testing was not completed is scheduled to be decommissioned at the end\n             of the calendar year, so no testing was required.\n         \xe2\x80\xa2   The agency completed annual contingency plan testing for all agency and\n             contractor systems, and updated the contingency plans for 17 agency systems and\n             both contractor systems.\n         \xe2\x80\xa2   The agency issued several updated documents, processes, and standards related to\n             IT security including Management Directive and Handbook 12.5, NRC Cyber\n\n\n\n                                              i\n\x0c                                                                         Independent Evaluation of\n                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\n            Security Program; Agency-wide Rules of Behavior for Authorized Computer\n            Use; Malicious Code Protection Guidance; Strong Password Standard; the NRC\n            Information Security Program Plan; and several incident response documents.\n\n     Program Weaknesses\n\n     While the agency has continued to make improvements in its IT security program and has\n     made progress in implementing the recommendations resulting from previous FISMA\n     evaluations, the independent evaluation identified the following information system\n     security program weaknesses.\n\n        \xe2\x80\xa2   The agency\xe2\x80\x99s contractor system oversight program is not consistently\n            implemented.\n        \xe2\x80\xa2   There is a repeat finding from a previous FISMA evaluation: configuration\n            management procedures are still not consistently implemented.\n        \xe2\x80\xa2   There is a repeat finding from several previous FISMA evaluations: the NRC plan\n            of action and milestone (POA&M) program still needs improvement.\n\nRECOMMENDATIONS\n\n     This report makes recommendations to the Executive Director for Operations to improve\n     NRC\xe2\x80\x99s information system security program and implementation of FISMA.\n     Recommendations are made in this report for the new finding only. Recommendations\n     for the repeat findings were made in prior reports, and completion of those findings is\n     being tracked through the OIG followup process. A consolidated list of\n     recommendations appears on page 15 of this report.\n\nAGENCY COMMENTS\n\n     An exit conference was held with the agency on November 19, 2013. At this meeting,\n     agency management stated their agreement with the findings and recommendations in\n     this report and opted not to provide formal comments for inclusion in this report.\n\n\n\n\n                                            ii\n\x0c                                                                         Independent Evaluation of\n                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nATO                 Authorization to Operate\nATU                 Authorization to Utilize\nCarson Associates   Richard S. Carson and Associates, Inc.\nCSO                 Computer Security Office\nFISMA               Federal Information Security Management Act\nFY                  Fiscal Year\nIT                  Information Technology\nNIST                National Institute of Standards and Technology\nNRC                 Nuclear Regulatory Commission\nOIG                 Office of the Inspector General\nOMB                 Office of Management and Budget\nPOA&M               Plan of Action and Milestones\nRMF                 Risk Management Framework\nSP                  Special Publication\n\n\n\n\n                                            iii\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                                                                              Independent Evaluation of\n                                                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\nAbbreviations and Acronyms ..................................................................................... iii\n\n1 Background .............................................................................................................. 1\n2 Objective ................................................................................................................... 1\n3 Findings .................................................................................................................... 1\n  3.1 Contractor Systems Oversight....................................................................... 2\n            Finding #1: NRC\xe2\x80\x99s Inventory of Contractor Systems Is Incomplete ........................................... 3\n            3.1.1 NRC Inventory Requirements ........................................................................3\n            3.1.2 Inventory Information for NRC Contractor Systems Is Inconsistent .......... 4\n            Finding #2: NRC\xe2\x80\x99s RMF Is Not Consistently Followed for Contractor Systems ........................ 4\n            3.1.3 NRC RMF Requirements for Contractor Systems ........................................5\n            3.1.4 Agency Has Not Fully Met Requirements .....................................................5\n    3.2     Configuration Management ............................................................................ 6\n            Finding #3: NRC Configuration Management Procedures Are Not Consistently\n                 Implemented......................................................................................................................... 7\n            3.2.1 Configuration Management Requirements ...................................................7\n            3.2.2 Agency Has Not Fully Met Requirements .....................................................9\n    3.3     Plan of Action and Milestones (POA&M) ..................................................... 10\n            Finding #4: NRC POA&M Program Still Needs Improvement ................................................ 11\n            3.3.1 POA&M Process Requirements...................................................................11\n            3.3.2 Agency Has Not Fully Met Requirements ................................................... 12\n            3.3.3 NRC\xe2\x80\x99s POA&M Tool Still Does Not Implement Key OMB and NRC\n                    POA&M Requirements .................................................................................13\n            3.3.4 Initial Target Remediation Dates Are Frequently Missed .......................... 14\n4 Consolidated List of Recommendations ............................................................. 15\n5 Agency Comments ................................................................................................ 17\n\n\nAppendix.                 OBJECTIVE, SCOPE, AND METHODOLOGY ............................................ 19\n\n\n\n\n                                                                         v\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                                         Independent Evaluation of\n                                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\n1       Background\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included the\nFederal Information Security Management Act (FISMA) of 2002. 1 FISMA outlines the\ninformation security management requirements for agencies, which include an annual\nindependent evaluation of an agency\xe2\x80\x99s information security program 2 and practices to determine\ntheir effectiveness. This evaluation must include testing the effectiveness of information security\npolicies, procedures, and practices for a representative subset of the agency\xe2\x80\x99s information\nsystems. The evaluation also must include an assessment of compliance with FISMA\nrequirements and related information security policies, procedures, standards, and guidelines.\nFISMA requires the annual evaluation to be performed by the agency\xe2\x80\x99s Office of the Inspector\nGeneral (OIG) or by an independent external auditor. 3 Office of Management and Budget\n(OMB) memorandum M-14-04, Fiscal Year 2013 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management, dated November 18,\n2013, requires OIG to report their responses to OMB\xe2\x80\x99s annual FISMA reporting questions for\nOIGs via an automated collection tool.\n\nThe U.S. Nuclear Regulatory Commission (NRC) OIG retained Richard S. Carson & Associates,\nInc. (Carson Associates), to perform an independent evaluation of NRC\xe2\x80\x99s implementation of\nFISMA for fiscal year (FY) 2013. This report presents the results of that independent evaluation.\nCarson Associates will also submit responses to OMB\xe2\x80\x99s annual FISMA reporting questions for\nOIGs via OMB\xe2\x80\x99s automated collection tool in accordance with OMB guidance. A consolidated\nlist of recommendations appears on page 15.\n\n2       Objective\n\nThe objective was to perform an independent evaluation of NRC\xe2\x80\x99s implementation of FISMA for\nFY 2013. The report appendix contains a description of the evaluation objective, scope, and\nmethodology.\n\n3       Findings\n\nNRC has continued to make improvements to its information technology (IT) security program\nand progress in implementing the recommendations resulting from previous FISMA evaluations.\nThe agency has accomplished the following since the FY 2012 FISMA independent evaluation:\n\n1\n  The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the\n  E-Government Act of 2002 (Public Law 107-347) and replaces the Government Information Security Reform Act,\n  which expired in November 2002.\n2\n  NRC uses the term \xe2\x80\x9cinformation security program\xe2\x80\x9d to describe its program for ensuring that various types of\n  sensitive information are handled appropriately and are protected from unauthorized disclosure in accordance with\n  pertinent laws, Executive orders, management directives, and applicable directives of other Federal agencies and\n  organizations. For the purposes of FISMA, the agency uses the term information technology (IT) security\n  program.\n3\n  While FISMA uses the language \xe2\x80\x9cindependent external auditor,\xe2\x80\x9d OMB Memorandum M-04-25, FY 2004\n  Reporting Instructions for the Federal Information Security Management Act, clarified this requirement by stating,\n  \xe2\x80\x9cWithin the context of FISMA, an audit is not contemplated. By requiring an evaluation but not an audit, FISMA\n  intended to provide Inspectors General some flexibility.\xe2\x80\xa6\xe2\x80\x9d\n\n\n                                                         1\n\x0c                                                                                        Independent Evaluation of\n                                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\n\n\n      \xe2\x80\xa2    The agency continued to maintain current authorizations to operate for all agency and\n           contractor systems. In FY 2013, the agency completed security assessments and\n           authorizations of seven systems. As of the completion of fieldwork for FY 2013, all\n           operational NRC information systems and both systems used or operated by a contractor\n           or other organization on behalf of the agency had a current authorization to operate. 4\n      \xe2\x80\xa2    The agency completed or updated security plans for 18 of the 21 agency systems and for\n           both contractor systems.\n      \xe2\x80\xa2    The agency completed annual security control testing for 15 agency systems and both\n           contractor systems, and security test and evaluation in support of system authorization for\n           5 agency systems. The one system for which annual security control testing was not\n           completed is scheduled to be decommissioned at the end of the calendar year, so no\n           testing was required.\n      \xe2\x80\xa2    The agency completed annual contingency plan testing for all agency and contractor\n           systems, and updated the contingency plans for 17 agency systems and both contractor\n           systems.\n      \xe2\x80\xa2    The agency issued several updated documents, processes, and standards related to IT\n           security including Management Directive and Handbook 12.5, NRC Cyber Security\n           Program; Agency-wide Rules of Behavior for Authorized Computer Use; Malicious\n           Code Protection Guidance; Strong Password Standard; the NRC Information Security\n           Program Plan; and several incident response documents.\n\nWhile the agency has continued to make improvements in its IT security program and has made\nprogress in implementing the recommendations resulting from previous FISMA evaluations, the\nindependent evaluation identified the following information system security program\nweaknesses.\n\n      \xe2\x80\xa2    The agency\xe2\x80\x99s contractor system oversight program is not consistently implemented.\n      \xe2\x80\xa2    There is a repeat finding from a previous FISMA evaluation: configuration management\n           procedures are still not consistently implemented.\n      \xe2\x80\xa2    There is a repeat finding from several previous FISMA evaluations: the NRC plan of\n           action and milestone (POA&M) program still needs improvement.\n\nRecommendations are made in this report for the new finding only. Recommendations for the\nrepeat findings were made in prior reports, and completion of those findings is being tracked\nthrough the OIG followup process.\n\n3.1        Contractor Systems Oversight\n\nFISMA requires agencies to provide information security protections commensurate with the risk\nand magnitude of harm resulting from unauthorized access, use, disclosure, disruption,\nmodification, or destruction of (1) information collected or maintained by or on behalf of the\nagency or (2) information systems used or operated by an agency or by a contractor of an agency\n\n4\n    Four operational NRC information systems are operating under an ATO extension.\n\n\n                                                         2\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\nor other organization on behalf of an agency. Management Directive and Handbook 12.5\nrequires Federal agencies or third-party service providers hosting NRC capabilities to meet NRC\ncyber security requirements. Computer Security Office (CSO) process CSO-PROS-2030, NRC\nRisk Management Framework (RMF) and Authorization Process, provides the process for\napplying the RMF described in National Institute of Standards and Technology (NIST) Special\nPublication (SP) 800-37, Guide for Applying the Risk Management Framework to Federal\nInformation Systems, to secure NRC systems, including contractor systems, and includes the\nsteps required to obtain IT system authorization and authorization requirements for IT systems,\napplications, laptops, services, and facilities.\n\nHowever, the FISMA evaluation team found that agency\xe2\x80\x99s contractor system oversight program\nis not consistently implemented. Specifically, NRC\xe2\x80\x99s inventory of contractor systems is\nincomplete and the NRC\xe2\x80\x99s RMF is not consistently followed for contractor systems. As a result,\nthe agency cannot determine whether systems that are owned or operated by contractors or other\nentities are compliant with FISMA requirements, OMB policy, and applicable NIST guidelines.\n\nFinding #1: NRC\xe2\x80\x99s Inventory of Contractor Systems Is Incomplete\n\nCSO-PROS-2030 provides the process for applying the NIST RMF secure NRC systems and\ndefines the six types of systems and services to which the RMF applies. However, the FISMA\nevaluation team found that NRC\xe2\x80\x99s inventory of contractor systems is incomplete. As a result,\nNRC is not able to obtain assurance that security controls of such systems and services are\neffectively implemented and comply with Federal and agency guidelines.\n\n3.1.1 NRC Inventory Requirements\n\nCSO-PROS-2030 defines the following categories of systems. Each system in the NRC\ninventory should be classified as one of these systems.\n\n   \xe2\x80\xa2   IT System \xe2\x80\x93 a compilation of hardware and software that operates within its own\n       authorization boundary to electronically perform a specific task or set of tasks. IT\n       Systems are NRC-owned, NRC contractor systems, or customized implementations of\n       systems for NRC, and they exist in their own authorization boundary (i.e., not part of\n       another system\xe2\x80\x99s authorization boundary).\n   \xe2\x80\xa2   Application \xe2\x80\x93 computer software designed to perform singular or multiple related\n       specific tasks. Applications are NRC commercial off-the-shelf, Government off-the-\n       shelf, or custom software; do not have the security infrastructure or foundation to exist in\n       their own authorization boundary; and are part of an IT System\xe2\x80\x99s authorization boundary.\n   \xe2\x80\xa2   Laptops and Stand-Alone Personal Computers \xe2\x80\x93 non-centrally managed laptops and\n       stand-alone personal computers, including those processing sensitive unclassified non-\n       safeguards information, safeguards information, and classified information (does not\n       include laptops and desktops that are part of the NRC infrastructure system\xe2\x80\x99s boundary).\n   \xe2\x80\xa2   Service \xe2\x80\x93 external services that support NRC\xe2\x80\x99s operational mission. Examples include\n       public Web site hosting and external Government or private contractor\n       applications/services (non-NRC).\n\n\n\n                                                3\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\n   \xe2\x80\xa2   Facility \xe2\x80\x93 physical building leased or owned by a contractor or other Government agency\n       to host NRC systems. IT components hosted in the facility must have an IT System\n       Authorization to Operate (ATO).\n   \xe2\x80\xa2   Social Media \xe2\x80\x93 public Web 2.0 Web sites owned and operated by an external third-party\n       (e.g., Facebook, Flickr, Twitter, and YouTube).\n\nThe NRC inventory also identifies the owner of the system (e.g., NRC or Contractor), the\nsecurity type of the system (e.g., Major Application, General Support System, Listed System,\nOther System), and whether or not the system is an e-Government system (i.e., operated by\nanother Federal agency).\n\n3.1.2 Inventory Information for NRC Contractor Systems Is Inconsistent\n\nThe FISMA evaluation team reviewed the NRC inventory as of September 30, 2013, and found\nseveral examples of incorrect or missing information for NRC contractor systems. The\nfollowing are some examples:\n\n   \xe2\x80\xa2   Seven systems are missing an owner (i.e., NRC or Contractor). Based on other\n       information in the inventory, these are likely Contractor systems.\n   \xe2\x80\xa2   Four systems are missing a security type (i.e., Major Application, General Support\n       System, Listed System, Other System).\n   \xe2\x80\xa2   Eight systems are missing the flag denoting whether the system is an e-Government\n       system.\n   \xe2\x80\xa2   Two systems are incorrectly classified as IT Systems when they should be Services.\n   \xe2\x80\xa2   Three systems are incorrectly classified as Applications when they should be either IT\n       Systems or Services.\n   \xe2\x80\xa2   One system is incorrectly classified as a Service when it should be classified as Social\n       Media.\n   \xe2\x80\xa2   The inventory is missing a Federal data center that hosts an IT System.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   1. Update the information in the NRC inventory for contractor systems to include missing\n      information and to correctly classify contractor systems in accordance with CSO-PROS-\n      2030, NRC Risk Management Framework.\n\nFinding #2: NRC\xe2\x80\x99s RMF Is Not Consistently Followed for Contractor Systems\n\nCSO-PROS-2030 describes the process for applying the NIST RMF to secure NRC systems,\nincluding the steps required to obtain IT system authorization and authorization requirements for\nIT systems, applications, laptops, services, and facilities. However, the FISMA evaluation team\nfound that NRC\xe2\x80\x99s RMF is not consistently followed for contractor systems. This is likely due in\n\n\n\n                                                4\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\npart to the fact that the inventory of contractor systems is incomplete. As a result, NRC is not\nable to obtain assurance that security controls of such systems and services are effectively\nimplemented and comply with Federal and agency guidelines.\n\n3.1.3 NRC RMF Requirements for Contractor Systems\n\nCSO-PROS-2030 defines the following categories of systems and their authorization\nrequirements. These requirements apply to NRC systems and to systems operated on the\nagency\xe2\x80\x99s behalf by contractors or other entities.\n\n   \xe2\x80\xa2   IT System \xe2\x80\x93 requires an ATO.\n   \xe2\x80\xa2   Application \xe2\x80\x93 inherits the ATO from its host IT System.\n   \xe2\x80\xa2   Laptops and Stand-Alone Personal Computers \xe2\x80\x93 requires laptop certification.\n   \xe2\x80\xa2   Service \xe2\x80\x93 requires an Authorization to Utilize (ATU). If the Service is not authorized to\n       operate by another Federal agency, then it must be authorized to operate by the NRC as\n       an IT System.\n   \xe2\x80\xa2   Facility \xe2\x80\x93 requires a Facility ATO. If the Facility ATO is not issued by another Federal\n       agency, then additional authorization requirements apply.\n   \xe2\x80\xa2   Social Media \xe2\x80\x93 requires a Web 2.0 Implementation ATO.\n\nOnce a Service is issued an ATU, it also requires confirmation of annual system security plan\nupdates, annual contingency plan testing, and annual security control testing. Instructions\nincluded with the IT security risk management activities memorandum for FY 2013, issued\nNovember 28, 2012, included a requirement to ensure systems owned and/or operated by other\nagencies or contractors also satisfy annual contingency plan testing and control testing\nrequirements and have a valid ATO. For such systems, the NRC organization must obtain a\nmemorandum from the agency that owns or operates the system confirming the following:\n\n   \xe2\x80\xa2   Completion of annual contingency plan testing, including date test was completed.\n   \xe2\x80\xa2   Completion of annual control testing, including date test was completed.\n   \xe2\x80\xa2   Status of ATO, including the date of the current ATO. For new or revised ATO dates,\n       also provide the agency\xe2\x80\x99s certification/security control assessment and ATO memos.\n\nThis memorandum was required to be entered in the agency\xe2\x80\x99s official document repository and\nsubmitted to the CSO by emailing the document\xe2\x80\x99s repository tracking number by September 15,\n2013.\n\n3.1.4 Agency Has Not Fully Met Requirements\n\nThe FISMA evaluation team reviewed the authorization documentation for contractor systems\nand found that the agency has not fully met NRC RMF requirements for contractor systems. The\nfollowing are some examples:\n\n\n\n\n                                                 5\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\n      \xe2\x80\xa2   The evaluation team identified one system on the inventory classified as an IT System\n          that does not have an ATO, as well as one system that may be incorrectly classified as an\n          Application.\n      \xe2\x80\xa2   The IT security risk management activities memorandum and instructions for FY 2013\n          listed nine systems to which annual requirements for systems owned and/or operated by\n          other agencies or contractors apply, one of which was retired after the memorandum was\n          issued. However, the evaluation team found that the list of contractor systems in the\n          November 2012 memorandum was incomplete. The list should have included three\n          additional systems, one of which has had an ATU since 2011, as well as one additional\n          system that may be incorrectly classified as an Application. In addition, the evaluation\n          team found that for the systems on the list, the agency did not obtain the required\n          documentation from the hosting organization(s) as required. Required documentation\n          was submitted only for one system.\n      \xe2\x80\xa2   For Services not authorized by another Federal agency, they must be authorized to\n          operate by the agency as an IT System. The evaluation team identified four systems on\n          the inventory classified as a Service that are not authorized by another Federal agency\n          and do not have an ATO issued by NRC.\n\nRECOMMENDATIONS\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      2. Based on the updated inventory of contractor systems, identify those that are not\n         compliant with CSO-PROS-2030, NRC Risk Management Framework, and complete\n         appropriate authorization activities for those systems.\n      3. Develop procedures for ensuring the annual IT security risk management activities for\n         systems owned and/or operated by other agencies or contractors are completed in\n         accordance with NRC requirements.\n\n3.2       Configuration Management\n\nFISMA requires agencies to develop policies and procedures that ensure compliance with\nminimally acceptable system configuration requirements as determined by the agency. NIST SP\n800-53, Recommended Security Controls for Federal Information Systems and Organizations,\nrequires organizations to (1) develop, document, and maintain under configuration control, a\ncurrent baseline configuration for information systems; (2) establish and document mandatory\nconfiguration settings for IT products employed within information systems; (3) monitor and\ncontrol changes to the configuration settings; (4) scan for vulnerabilities in information systems;\n(5) remediate legitimate vulnerabilities within organization-defined response times; and (6)\nincorporate flaw remediation into the configuration management process.\n\nThe agency has established and is maintaining a configuration management program that is\nconsistent with FISMA requirements and applicable NIST guidelines. The FY 2011 FISMA\nevaluation found that configuration management procedures are not consistently implemented.\nSpecifically, (i) standard baseline configurations are not implemented on some NRC systems; (ii)\nsoftware compliance assessment procedures are not consistently implemented; and (iii)\n\n\n                                                  6\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\nvulnerability remediation and patch management procedures are not consistently implemented.\nThe agency has yet to implement the five recommendations from the FY 2011 FISMA\nevaluation related to configuration management and many of the same issues were found again\nin the FY 2013 evaluation. As a result, information security protections may not be\ncommensurate with the risk and magnitude of the harm resulting from unauthorized access, use,\ndisclosure, disruption, modification, or destruction of NRC information and information systems.\n\nFinding #3: NRC Configuration Management Procedures Are Not Consistently\nImplemented\n\nThe NRC configuration program includes CSO issued processes, procedures, standards,\nguidelines, checklists, and templates. These include standard baseline configurations for\nsoftware, hardware, and other technologies in use at the agency; procedures for assessing\nsoftware for compliance with baseline configurations; and processes for timely remediation of\nvulnerabilities, including configuration-related vulnerabilities and scan findings, and for the\ntimely and secure installation of software patches. However, the FISMA evaluation team found\nthat NRC configuration management procedures are not consistently implemented. Specifically,\n(i) standard baseline configurations are not implemented on some NRC systems; (ii) software\ncompliance assessment procedures are not consistently implemented; and (iii) vulnerability\nremediation and patch management procedures are not consistently implemented. As a result,\ninformation security protections may not be commensurate with the risk and magnitude of the\nharm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction\nof NRC information and information systems.\n\n3.2.1 Configuration Management Requirements\n\nStandard Baseline Configurations\n\nCSO is responsible for identifying system configuration standards to be used in the protection of\nany information system that stores, transmits/receives, or processes NRC information. CSO\npublishes and maintains NRC-specific configuration standards, but also relies on those published\nby other authoritative sources. The precedence for the applicability of configuration baselines is\nCSO Standards; Defense Information Systems Agency finalized standards, checklists, and\nguidance; and Center for Internet Security finalized benchmarks.\n\nThe CSO has developed five broad categories of standards:\n\n   \xe2\x80\xa2   General Cyber Security Standards \xe2\x80\x93 technology/implementation independent\n       requirements that apply across the NRC and to all information systems that store,\n       transmit/receive, or process NRC information. These standards include CSO-STD-0001,\n       NRC Strong Password Standard, and CSO-STD-0020, Organization Defined Values for\n       System Security Controls.\n   \xe2\x80\xa2   Network Standards \xe2\x80\x93apply to the network infrastructure overall, as well as minimum\n       baseline cyber security requirements for network devices, such as network routers,\n       switches, firewalls, and wireless network components that transmit/receive NRC\n       information.\n\n\n                                                7\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\n   \xe2\x80\xa2   Operating System Standards \xe2\x80\x93apply to operating systems for all types of computers\n       except firmware and operating systems for network devices (e.g., routers, firewalls,\n       switches, sensors, and load balancers). Standards for network device operating systems\n       are included within the Network Standards category.\n   \xe2\x80\xa2   Application Standards \xe2\x80\x93apply to application software used to perform a specific task,\n       such as word processing, Web browsing, financial management, and software used to\n       manage or provide services to the infrastructure (e.g., database, e-mail, file, and Web\n       server). Internet applications (e.g., Twitter, Facebook, Flickr, WordPress, and YouTube)\n       are covered under the CSO-STD-1314, NRC Web 2.0 Implementation Standard.\n   \xe2\x80\xa2   Device Standards \xe2\x80\x93apply to IT resources that store, process, and print NRC information.\n\nSoftware Compliance Assessment\n\nCSO-PROS-2030 requires vulnerability assessments as part of Step 4 of the RMF. CSO-PROS-\n1323, U.S. NRC Agency-wide Continuous Monitoring Program, requires networked-based scans,\nhardening checks, Web application security assessments for Web-based systems, and wireless\nscans, on an at least annual basis, if not more frequently depending on the system sensitivity\nlevel. System owners must provide evidence of periodic scanning to the CSO. CSO-STD-0020\nrequires system owners to scan for vulnerabilities at least quarterly. CSO-PROS-1401, Periodic\nSystem Scanning Process, describes the process to be used to effectively perform periodic scans\non NRC systems.\n\nThe IT security risk management activities memorandum and instructions for FY 2013 define the\nfrequency for performing patch vulnerability management activities. System Owners must\ncomplete the following to continuously detect and resolve vulnerabilities in their systems:\n\n   \xe2\x80\xa2   Track patch and vulnerability management through a formal change control process.\n   \xe2\x80\xa2   Establish a schedule for patching and system vulnerability scanning that is aligned to\n       resolve vulnerabilities and verify fixes.\n   \xe2\x80\xa2   Ensure routine scans and security checks are conducted in a timely fashion.\n   \xe2\x80\xa2   Ensure findings identified in the scans and security checks are added and tracked in the\n       POA&M in accordance with CSO-PROS-2016, U.S. NRC POA&M Process.\n   \xe2\x80\xa2   Upload a Periodic Scan Report as an artifact in the agency information assurance tool to\n       serve as evidence of scanning and patching/lack of patching. The CSO will review the\n       previous report when verifying the current quarter\xe2\x80\x99s POA&M.\n\nVulnerability Remediation and Patch Management\n\nCSO-STD-0020 requires legitimate vulnerabilities to be remediated in accordance with an\norganizational assessment of risk and within the following timeframes:\n\n   \xe2\x80\xa2   Within 21 calendar days for critical findings.\n   \xe2\x80\xa2   Within 45 calendar days for high-risk findings.\n   \xe2\x80\xa2   Within 90 calendar days for moderate-risk findings.\n\n\n                                               8\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\n   \xe2\x80\xa2   Within 120 calendar days for low-risk findings.\n\nNRC also requires system owners to ensure automated mechanisms are employed quarterly to\ndetermine the state of information system components with regard to flaw remediation. The IT\nsecurity risk management activities memorandum and instructions for FY 2013 require system\nowners to patch, scan, and check the security of their systems with the rigor and frequency\nappropriate for the system sensitivity level and define the frequency for conducting routine\npatching.\n\n3.2.2 Agency Has Not Fully Met Requirements\n\nThe FISMA evaluation team reviewed the security test and evaluation results for the four\nsystems selected for evaluation in FY 2013, and the annual security control test results for\nagency and contractor systems, specifically test results for controls related to configuration\nmanagement, vulnerability scanning, and patching. We also reviewed a network security\nevaluation report for an assessment performed on the NRC network by another agency in the\nspring of 2012. As in previous years, we found that configuration management continues to be\nan issue with many NRC systems.\n\nStandard Baseline Configurations Are Not Implemented on Some NRC Systems\n\nAs reported in the FY 2011 FISMA evaluation, the FY 2013 FISMA evaluation team found that\nstandard baseline configurations are not implemented on some NRC systems. Vulnerability\nscanning performed as part of security control assessment activities identified numerous\nvulnerabilities that demonstrate non-compliance with required baseline configurations in more\nthan half of NRC\xe2\x80\x99s operational systems. These are vulnerabilities that have been identified by\nthe agency as actual weaknesses requiring remediation and most are being tracked on the\nagency\xe2\x80\x99s POA&Ms. This issue is due in part to problems with the templates used in the\nagency\xe2\x80\x99s compliance assessment tool. Recent security control assessments performed by the\nagency found that some compliance tool templates are not configured per NRC established\nchecklists. As a result, security controls are not being assessed against the correct criteria. In\naddition, recent security control assessments performed by the agency found issues with group\npolicy objects issued by the agency\xe2\x80\x99s infrastructure system not matching NRC-mandated\nconfiguration settings. As a result, any server applying these group policy objects are not\ncompliant. The 2012 security evaluation performed by another agency on the NRC network also\nfound a lack of a strictly enforced software baseline for Windows servers.\n\nSoftware Compliance Assessment Procedures Are Not Consistently Implemented\n\nAs reported in the FY 2011 FISMA evaluation, the FY 2013 FISMA evaluation team found that\nsoftware compliance assessment procedures are not consistently implemented. Recent security\ncontrol assessments performed by the agency found that four of NRC\xe2\x80\x99s operational systems\ncontinue to have issues implementing software compliance assessment procedures in accordance\nwith NRC requirements. These systems are not performing scans in accordance with agency\ntimeframes. In one instance, a portion of a system\xe2\x80\x99s components were not being scanned at all.\nFor another system, a deviation was granted for a portion of the system to be scanned annually\n\n\n\n                                                9\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\ninstead of quarterly; however, scans were not performed in accordance with the timeframe in the\napproved deviation. The most significant finding from recent security control assessments\nperformed by the agency is that multiple components of the NRC\xe2\x80\x99s infrastructure system are not\nbeing scanned because they were just not included in scans, were not joined to the domain, or\ncredentials were not used to scan certain components as required. For the fourth system, scans\nare not being performed quarterly as required.\n\nVulnerability Remediation and Patch Management Procedures Are Not Consistently\nImplemented\n\nAs reported in the FY 2011 FISMA evaluation, the FY 2013 FISMA evaluation team found that\nconfiguration-related vulnerabilities, scan findings, and security patch-related vulnerabilities are\nnot always remediated in a timely manner. Recent security control assessments performed by\nthe agency found that one-third of NRC\xe2\x80\x99s operational systems continue to have issues\nremediating vulnerabilities in a timely manner. Delays in patching systems were due in part to\nproblems the agency was having with their patch management software. The software was\nunable to push patches to some system components for 2 months, or was dropping servers from\nthe group to receive a particular patch. As a result, servers for two systems were not consistently\nreceiving the required patches. In addition, recent security control assessments performed by the\nagency found another nine systems with either missing patches and/or outstanding weaknesses\nfrom previous assessments. The 2012 security evaluation performed by another agency on the\nNRC network also found systematic issues with patching UNIX systems throughout the agency,\nissues with patching third-party software running on Windows servers, and issues with patching\ndatabase software.\n\nRECOMMENDATIONS\n\nThe issue with configuration management procedures is a repeat finding from the FY 2011\nFISMA evaluation. The five recommendations from the FY 2011 FISMA evaluation are still\nopen, as the agency has not completed all of their planned remediation activities. Therefore,\nOIG is not issuing any new recommendations for addressing this finding.\n\n3.3    Plan of Action and Milestones (POA&M)\n\nFISMA, OMB, and NIST define the requirements for a POA&M process for planning,\nimplementing, evaluating, and documenting remedial action to address any deficiencies in the\ninformation security policies, procedures, and practices of the agency. To meet these\nrequirements, NRC developed CSO-PROS-2016, U.S. NRC POA&M Process, and implemented\nan automated tool to help manage the agency POA&Ms. CSO-PROS-2016 describes the process\nfor NRC to identify, assess, prioritize, and monitor the progress of corrective actions pertaining\nto security weaknesses and provides agency direction for the management and tracking of\ncorrective efforts relative to known weaknesses in IT security controls. NRC uses an automated\ntool for tracking IT security weaknesses associated with information systems used or operated by\nthe agency or by a contractor of the agency or other organization on behalf of the agency. The\nFY 2012 FISMA evaluation found that NRC\xe2\x80\x99s POA&M process was not consistently followed\nand the agency\xe2\x80\x99s POA&M tool did not implement key OMB and NRC POA&M requirements.\n\n\n\n                                                 10\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\nThe agency has yet to complete the two recommendations from the FY 2012 FISMA evaluation\nrelated to the POA&M process and many of the same issues were found again in FY 2013. As a\nresult, NRC\xe2\x80\x99s POA&Ms are still not effective at monitoring the progress of corrective efforts\nrelative to known weaknesses in IT security controls and therefore do not provide an accurate\nmeasure of security program effectiveness.\n\nFinding #4: NRC POA&M Program Still Needs Improvement\n\nCSO-PROS-2016 describes the process for NRC to identify, assess, prioritize, and monitor the\nprogress of corrective actions pertaining to security weaknesses and provides agency direction\nfor the management and tracking of corrective efforts relative to known weaknesses in IT\nsecurity controls. As a result of recommendations from the FY 2007 FISMA evaluation, the\nagency implemented a tool for automating the POA&M process. The automated tool was put in\nplace to ensure the agency\xe2\x80\x99s POA&M procedures are implemented consistently, completely, and\naccurately.\n\nHowever, the FY 2013 FISMA evaluation team found that NRC\xe2\x80\x99s POA&M program still needs\nimprovement. Specifically, NRC\xe2\x80\x99s POA&M process is still not consistently followed and the\nagency\xe2\x80\x99s POA&M tool still does not implement key OMB and NRC POA&M requirements.\nThe evaluation team also found that initial target remediation dates are frequently missed. As a\nresult, the NRC\xe2\x80\x99s POA&Ms are not effective at monitoring the progress of corrective efforts\nrelative to known weaknesses in IT security controls.\n\n3.3.1 POA&M Process Requirements\n\nCSO-PROS-2016 describes specific requirements for NRC POA&Ms, including the following:\n\n   \xe2\x80\xa2   POA&Ms must be updated to add vulnerabilities as part of an independent assessment\n       such as security testing and evaluation, continuous monitoring, vulnerability assessment\n       report, security assessment report, security impact assessment, U.S. Government\n       Accountability Office report, or OIG report. These weaknesses must be added to the\n       POA&M as soon as possible, but not to exceed 60 days from the assessor\xe2\x80\x99s report.\n   \xe2\x80\xa2   POA&Ms should be updated within the automated tool by the system owner with the\n       most current information by the 15th of November, February, May, and August. System\n       owners should keep abreast of weakness mitigation activities to ensure the documented\n       status accurately reflects the environment at that particular point in time.\n   \xe2\x80\xa2   Once the scheduled completion date is set, it should not be changed.\n\nInstructions included with the IT security risk management activities memorandum for FY 2013\nrequired system owners to add three risk management activities and respective due dates to their\nsystems\xe2\x80\x99 POA&M in the agency information assurance tool and track them to completion.\nThese activities are annual contingency plan testing, annual security control testing, and security-\nrelated document updates, including annual system security plan update.\n\nThe following are some key OMB and NRC requirements for POA&M reporting:\n\n\n\n                                                 11\n\x0c                                                                           Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\n   \xe2\x80\xa2   Scheduled completion dates should not be changed.\n   \xe2\x80\xa2   All weaknesses should have a scheduled completion date.\n   \xe2\x80\xa2   All weaknesses should identify the source of the weakness.\n   \xe2\x80\xa2   All closed weaknesses should have an actual completion date.\n   \xe2\x80\xa2   Weakness should be reported as delayed once the scheduled completion date has passed.\n\n3.3.2 Agency Has Not Fully Met Requirements\n\nThe FISMA evaluation team reviewed NRC POA&Ms for all four quarters of FY 2012. As in\nprevious FISMA evaluations, we found that POA&Ms do not include all known security\nweaknesses and POA&Ms are not updated in a timely manner.\n\nPOA&Ms Do Not Include All Known Security Weaknesses\n\nCSO-PROS-2016 requires POA&Ms to be updated to add vulnerabilities identified as part of an\nindependent assessment such as security testing and evaluation, continuous monitoring,\nvulnerability assessment report, security assessment report, security impact assessment, U.S.\nGovernment Accountability Office report, or OIG report. These weaknesses must be added to\nthe POA&M as soon as possible, but not to exceed 60 days from the assessor\xe2\x80\x99s report. However,\nas reported in the FY 2012 FISMA evaluation, the FY 2013 FISMA evaluation team found some\nIT-related weaknesses were not added to the POA&Ms as required by agency policy.\n\n   \xe2\x80\xa2   Weaknesses identified during the agency\xe2\x80\x99s 2013 annual security control testing for two\n       systems were not added to their respective POA&Ms.\n   \xe2\x80\xa2   Recommendations from the agency\xe2\x80\x99s 2013 contingency plan testing for seven systems\n       were not added to their respective POA&Ms.\n   \xe2\x80\xa2   The FY 2012 FISMA evaluation noted that recommendations from an OIG report issued\n       in July 2011 on NRC\xe2\x80\x99s shared \xe2\x80\x9cS\xe2\x80\x9d drive had not been added to the appropriate POA&M.\n       To date, they still have not been added to the POA&M and three of the recommendations\n       are still open.\n   \xe2\x80\xa2   Between August 2012 and January 2013, OIG issued five reports on information security\n       risk evaluations performed in the regional offices and at the Technical Training Center.\n       None of the recommendations from these reports have been added to the appropriate\n       POA&M.\n   \xe2\x80\xa2   Only 2 of the 13 recommendations from the FY 2012 FISMA evaluation have been added\n       to the appropriate POA&M.\n   \xe2\x80\xa2   In January 2013, OIG issued a report on the use and security of social media. The report\n       included 34 recommendations, of which 8 were IT security related; however, none were\n       added to the appropriate POA&M.\n   \xe2\x80\xa2   In April 2013, OIG issued a report on one of the agency\xe2\x80\x99s systems. The report included\n       seven recommendations, of which two were IT security related; however, they were not\n       added to the POA&M for the system.\n\n\n\n\n                                              12\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\nPOA&Ms Are Not Updated in a Timely Manner\n\nCSO-PROS-2016 requires POA&Ms to be updated within the automated tool by the system\nowner with the most current information by the 15th of November, February, May, and August.\nInstructions included with the IT security risk management activities memorandum for FY 2013\nrequired system owners to add annual contingency plan testing, annual security control testing,\nand security-related document updates, including annual system security plan updates to their\nsystems\xe2\x80\x99 POA&Ms.\n\nAs reported in the FY 2012 FISMA evaluation, the FY 2013 FISMA evaluation team found\nPOA&Ms are not updated in a timely manner. The following are some examples of updates that\nare not timely:\n\n   \xe2\x80\xa2   Approximately 14 percent of closed weaknesses were not reported closed in the quarter\n       in which they were actually closed.\n   \xe2\x80\xa2   Weaknesses closed by OIG are still not being reported as closed on the POA&Ms.\n   \xe2\x80\xa2   The program level POA&M and eight system POA&Ms still include weaknesses that are\n       more than 1 year old. One system POA&M has more than 300 weaknesses that are more\n       than 1 year old and should no longer be reported.\n   \xe2\x80\xa2   The evaluation team found that some or all of the annual IT security risk management\n       activities were not added to POA&Ms for 6 of the agency\xe2\x80\x99s 23 systems. This is a repeat\n       finding for four of those systems.\n\n3.3.3 NRC\xe2\x80\x99s POA&M Tool Still Does Not Implement Key OMB and NRC POA&M\n      Requirements\n\nIn the FY 2012 FISMA evaluation, the evaluation team found NRC\xe2\x80\x99s POA&M tool allows\nweaknesses to be created that do not follow OMB and NRC POA&M requirements.\nSpecifically, the tool:\n\n   \xe2\x80\xa2   Allows scheduled completion dates to be changed.\n   \xe2\x80\xa2   Allows weaknesses to be created without a scheduled completion date.\n   \xe2\x80\xa2   Allows weaknesses to be created with no value in the field that identifies the source of\n       the weakness.\n   \xe2\x80\xa2   Allows a weakness to be closed without specifying an actual completion date.\n   \xe2\x80\xa2   Does not automatically change the status from on track to delayed once the scheduled\n       completion date has passed.\n\nThe tool also allows users to enter actual completion dates in the future and allows users to enter\nan actual completion date when the status is not closed. These two issues have been corrected in\na new version of the tool currently under evaluation and testing; however, the remaining issues\nhave yet to be addressed.\n\n\n\n\n                                                13\n\x0c                                                                           Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\n3.3.4 Initial Target Remediation Dates Are Frequently Missed\n\nThe agency\xe2\x80\x99s progress in correcting weaknesses reported on its POA&Ms has declined since FY\n2012. In FY 2012, the agency closed 30 percent of its program level weaknesses and 55 percent\nof its system level weaknesses. However, in FY 2013, the agency closed only 15 percent of its\nprogram level weaknesses and 37 percent of its system level weaknesses.\n\nRECOMMENDATIONS\n\nThe issue with the NRC POA&M program is a repeat finding from the FY 2012 FISMA\nevaluation. The two recommendations from the FY 2012 FISMA evaluation are still open, as the\nagency has not completed all of their planned remediation activities. Therefore, OIG is not\nissuing any new recommendations for addressing this finding.\n\n\n\n\n                                              14\n\x0c                                                                           Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Update the information in the NRC inventory for contractor systems to include missing\n       information and to correctly classify contractor systems in accordance with CSO-PROS-\n       2030, NRC Risk Management Framework.\n    2. Based on the updated inventory of contractor systems, identify those that are not\n       compliant with CSO-PROS-2030, NRC Risk Management Framework, and complete\n       appropriate authorization activities for those systems.\n    3. Develop procedures for ensuring the annual IT security risk management activities for\n       systems owned and/or operated by other agencies or contractors are completed in\n       accordance with NRC requirements.\n\n\n\n\n                                              15\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              16\n\x0c                                                                          Independent Evaluation of\n                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\n5      Agency Comments\n\nAn exit conference was held with the agency on November 19, 2013. At this meeting, agency\nmanagement stated their agreement with the findings and recommendations in this report and\nopted not to provide formal comments for inclusion in this report.\n\n\n\n\n                                             17\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              18\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\nAppendix.          OBJECTIVE, SCOPE, AND METHODOLOGY\n\nOBJECTIVE\n\nThe objective was to perform an independent evaluation of NRC\xe2\x80\x99s implementation of FISMA for\nFY 2013.\n\nSCOPE\n\nThe evaluation focused on reviewing the agency\xe2\x80\x99s implementation of FISMA for FY 2013. The\nevaluation included an assessment of compliance with FISMA requirements and related\ninformation security policies, procedures, standards, and guidelines, and a review of information\nsecurity policies, procedures, and practices of a representative subset of the agency\xe2\x80\x99s information\nsystems, including contractor systems and systems provided by other Federal agencies. Three\nagency systems and one contractor system were selected for evaluation.\n\nThe evaluation was conducted at NRC headquarters from June 2013 through September 2013.\nAny information received from the agency subsequent to the completion of fieldwork was\nincorporated when possible. Throughout the evaluation, evaluators were aware of the potential\nfor fraud, waste, or misuse in the program.\n\nMETHODOLOGY\n\nRichard S. Carson & Associates, Inc., conducted an independent evaluation of NRC\xe2\x80\x99s\nimplementation of FISMA for FY 2013. In addition to an assessment of compliance with\nFISMA requirements and related information security policies, procedures, standards, and\nguidelines, the evaluation included an assessment of the following topics specified in OMB\xe2\x80\x99s FY\n2013 Inspector General FISMA Reporting Metrics.\n\n   \xe2\x80\xa2    Continuous Monitoring Management.\n   \xe2\x80\xa2    Configuration Management.\n   \xe2\x80\xa2    Identity and Access Management.\n   \xe2\x80\xa2    Incident Response and Reporting.\n   \xe2\x80\xa2    Risk Management.\n   \xe2\x80\xa2    Security Training.\n   \xe2\x80\xa2    Plan of Action and Milestones.\n   \xe2\x80\xa2    Remote Access Management.\n   \xe2\x80\xa2    Contingency Planning.\n   \xe2\x80\xa2    Contractor Systems.\n   \xe2\x80\xa2    Security Capital Planning.\n\n\n\n\n                                                19\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2013\n\n\nTo conduct the independent evaluation, the team reviewed the following:\n\n   \xe2\x80\xa2   NRC policies, procedures, and guidance specific to NRC\xe2\x80\x99s IT security program and its\n       implementation of FISMA, and to the 11 topics specified in OMB\xe2\x80\x99s reporting metrics.\n   \xe2\x80\xa2   Security assessment and authorization documents for the four systems selected for\n       evaluation during the FY 2013 independent evaluation, including security test and\n       evaluation reports and vulnerability assessment reports prepared in support of security\n       test and evaluation.\n   \xe2\x80\xa2   Security categorizations, security plans, contingency plans, contingency plan test reports,\n       and authorization to operate memoranda for all agency systems.\n   \xe2\x80\xa2   Annual security control testing reports for all agency systems.\n   \xe2\x80\xa2   Annual security control testing report for the agency\xe2\x80\x99s common controls, as controls such\n       as incident response, security training, and security capital planning are partially provided\n       at the agency level for all NRC information systems.\n\nWhen reviewing security test and evaluation and annual security control testing reports, the team\nfocused on security controls specific to the 11 topics specified in OMB\xe2\x80\x99s reporting metrics.\n\nAll analyses were performed in accordance with guidance from the following:\n\n   \xe2\x80\xa2   NIST standards and guidelines.\n   \xe2\x80\xa2   Management Directive and Handbook 12.5, NRC Cyber Security Program.\n   \xe2\x80\xa2   NRC Computer Security Office policies, processes, procedures, standards, and\n       guidelines.\n   \xe2\x80\xa2   NRC OIG audit guidance.\n\nThe evaluation work was conducted by Jane M. Laroussi, CISSP, from Richard S. Carson &\nAssociates, Inc.\n\n\n\n\n                                                20\n\x0cReport Location: G:AUDIT\\14-A-03 FISMA\\FINAL EVALUATION REPORT \xe2\x80\x93\nOIG-14-A-03 Independent Evaluation of NRC\xe2\x80\x99s Implementation of the Federal\nInformation Security Management Act for Fiscal Year 2013 (PXB).docx\n\nDistribution\nAIGA r/r\nMBlair\nJGordon\nBSerepca\nSZane\nSDingbaum\n\n\nADAMS Accession Number:\n\n\nOIG            OIG       OIG         OIG       OIG       OIG        OIG\nMBlair         JGordon   BSerepca    SZane     SDingbaum DLee       HBell\n11/ /13        11/ /13   11/ /13     11/ /13   11/ /13   11/ /13    11/ /13\n\n\nSUNSI Review - OK for      SUNSI Review \xe2\x80\x93 Redacted   SUNSI Review \xe2\x80\x93\nPublic Release             for Public Release        OUO Not for Public\n                                                     Release\nSZane                      SZane                     SZane\n11/ /13                    11/ /13                   11/ /13\n\n\n                              OFFICIAL FILE COPY\n\x0c"